Lead the AI era of GRC at Elevate 2026 — Join us April 22–24 in Atlanta Register nowarrow_forward

menu

Lead the AI era of GRC at Elevate 2026 — Join us April 22–24 in Atlanta Register now

arrow_forward

language

Products

arrow_drop_down

Solutions

arrow_drop_down

Resources

arrow_drop_down

Diligent AI

Request a demo

Governance

Risk

Compliance

Audit

Diligent Boards

Automate meeting prep, secure sensitive data and give directors the clarity to make the best decisions.

BoardEffect

Secure, flexible board management software for nonprofits and higher education.

Community

Increase transparency, streamline governance and empower your school board or local government.

Diligent Market Intelligence

On-demand access to exclusive shareholder activism, executive compensation and ESG data.

FEATURED

Diligent One Platform

Centralize and unify all your board management and GRC activities

Role

Use Cases

Company Type

Industries

General Counsel

Safeguard your organization with centralized oversight of governance, risk and compliance.

Corporate Secretary

Run governance flawlessly with AI tools that eliminate busywork and ensure audit-readiness.

Executive Assistant

Streamline board prep, communications and approvals with AI workflows for seamless meetings.

C-Suite

Accelerate decisions and inspire confidence with AI-powered reporting and real-time risk intelligence.

Directors & Trustees

Prepare faster, mitigate risk and make smarter decisions with purpose-built board tools.

Risk Manager

See enterprise risk in real time, act decisively, and deliver AI-powered insights.

Information Security

Unify IT risk, compliance and cyber oversight in one secure platform.

Compliance Officer

Turn regulatory obligations into clear, actionable metrics — proving compliance and ROI.

Internal Auditor

Connect audit management, analytics and monitoring in a secure, AI-powered hub.

FEATURED

Diligent One Platform

Centralize and unify all your board management and GRC activities

Content Library

Case Studies

Virtual Summits

Events

Resources Hub

Discover all of Diligent's insights in one place. Stay ahead of trends with expert perspectives, exclusive research and information you won't find anywhere else.

MEDIA TYPE

Blog Guides Videos Podcasts Content Toolkits Research & Reports

BY TOPIC

Governance Risk & Audit Compliance AI & Cyber Public Sector Diligent Institute

FEATURED

Diligent named a Leader in 2025 Gartner® Magic Quadrant™ for GRC

How (and why) CISOs should improve their IT risk communications with the board

August 22, 2023

•

6 min read

A CISO gathers data to prepare for her board presentation

Kaelyn Barron

Senior Specialist

Share:

With costly cyber incidents on the rise, it has become clear that the traditional divide between cybersecurity and governance, risk and compliance (GRC) no longer serves companies at a strategic level.

To build cyber resilience and protect themselves from a rising tide of cyber risk, organizations must find better ways to incorporate IT risk strategy into the board’s GRC efforts. Simply put: Cybersecurity is a GRC issue, and companies must behave accordingly.

This raises important questions: How can CISOs communicate IT and cyber risk within their organizations? How can they break through to executives and the board, and effect real change through smart policies?

This article outlines key strategies CISOs can use to improve their communications with top leadership, as well as background on recent regulatory developments and technology that makes effective communication easier.

Adapting to new regulations

In July 2023, the SEC officially adopted new rules for enhanced cybersecurity disclosures. The new regulations cover a lot of ground, and require organizations to disclose how the board executes its cyber oversight, how cybersecurity factors into core business strategy and how CISOs report within the organization — which will have major implications for companies of every size.

Businesses will also be required to disclose material cyber incidents within four days of confirming their materiality, which requires quantitative and qualitative analyses at the highest levels of the organization — further underscoring the importance of keeping the board up to date on cyber issues.

Bottom line: Cyber knowledge gaps won’t just leave your organization open to costly breaches — they have the potential to incur serious regulatory penalties.

Improving board communications around cyber

To effect change within their organizations, CISOs must craft a strong communication strategy to ensure the board has a deep understanding of IT risk. Here are five strategies you can use to accomplish this goal:

Make sure the board understands the full breadth of external and internal cyber risk. Many executives, even those with a good understanding of cybersecurity protocols, tend to think about cyber risk exclusively in terms of bad actors and cybercriminals. While those forces certainly represent serious threats, the reality is that internal personnel present a substantial source of cyber risk. In fact, 91 percent of successful hacks originate from phishing emails. Emphasizing this “human factor” of cyber risk makes it easier for boards to throw their support behind cyber awareness training programs, encouraging them to take a more holistic approach to managing cyber risk.

Speak their language. Many CISOs make the mistake of communicating in a hyper-technical language that alienates the board. For a better chance at achieving consensus on core cyber issues, present those issues in company- and industry-specific terms. Employ hypotheticals and real-life scenarios with concrete figures to illustrate the financial impact of a serious breach. For example, if a competitor recently experienced a high-profile breach, use it as a teaching moment to highlight vulnerabilities that could put your company in a similar position.
Emphasize the benefits of a proactive approach. Many board members are still stuck in a reactive frame of mind when it comes to cyber risk; for them, the purpose of cyber strategy is mitigating damage only after something’s gone wrong. Fortunately, the new SEC regulations offer CISOs a more prominent seat at the table when it comes to recommending proactive strategies that bolster cyber resilience and reduce the risk of materially damaging events. But CISOs cannot simply point to the regulations as the reason to implement more proactive strategies. Rather, they should help board members understand how a proactive approach can add business value — for example, by giving the business confidence to move with speed and agility, with assurance in cyber resiliency.
Solicit feedback. Be direct with your audience and determine if they have any lingering questions or preferred methods translating complex cyber risk issues into actionable policy. This arms you with more knowledge about how your board best receives information, and it also alerts you to lingering gaps in their cyber understanding and expertise. What’s more, it gives you invaluable insight into their emotional and psychological stance when it comes to cybersecurity, which you can leverage to create a stronger understanding as you iterate your communication strategy.
Use risk reporting technology. Presenting risk data in a compelling, digestible format is a real challenge, but it is easily remedied with risk reporting technology. These software options take dense, complex and scattered raw material, and draw out trends and priorities your board can latch onto — while also taking time-consuming work (such as data gathering, manual reporting and analysis) off your plate.

Making the most of risk reporting technology

Risk reporting tools, such as Diligent Board Reporting for IT Risk, equip CISOs with a suite of tools that turn effective board communications from a complex challenge into a simple, three-step process:

Aggregate all your IT risk data within one platform and use third-party perspectives from Security Scorecard and Bitsight to add valuable context and benchmark yourself against industry peers.
Create a standardized, repeatable set of risk dashboards with auditable, consistent and easy-to-understand reports that allow the board to see progress over time.
Communicate the full breadth of your risk story while elevating the board’s understanding of complicated, nuanced IT risks and opportunities.

Turning cybersecurity into a business driver

The wave of cybercrime won’t ebb — in fact, the volume of attacks is expected to increase by 15% annually over the next three years. Forward-looking organizations recognize that cybersecurity is not merely a necessary cost — rather, they’re reframing cyber resilience as a core driver of business success. Businesses that proactively invest in modernizing their cyber resilience posture will actually see stronger growth, more reliably hitting their revenue and profitability targets.

What does it mean to transform cybersecurity into a business driver? This Diligent executive brief outlines a framework for building a culture of cyber resilience — bringing together technology and policy to drive change. Moreover, the brief highlights the role that the board and executive leadership must play in making this fundamental shift from reactive to strategic cyber resilience. Download the executive brief here.